Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

New Attack Leverages Mobile Ad Network to Deliver Android Malware

Researchers at Palo Alto Networks have uncovered a new malware strain that is being installed with legitimate Android apps and then connecting back to mobile ad networks in the background as part of a scheme to wring money from its victims.

Ad networks have been a key component of the malware and cybercrime ecosystem for a long time and their role is becoming more and more complicated, as researchers from WhiteHat Security showed at Black Hat recently. That problem is now moving to the mobile Web, and researchers at Palo Alto Networks have uncovered a new malware strain that is being installed with legitimate Android apps and then connecting back to mobile ad networks in the background as part of a scheme to wring money from its victims.

The concept of malware riding shotgun with legitimate mobile apps is not a new one. There have been a slew of cases in which attackers have compromised apps in the Google Play store and inserted malware into the file. But this new attack is using a new technique that starts with the user installing an app on her Android phone. The app could be a legitimate one or a malicious one, but it will include some code that, once the app is installed, will reach out to an ad network. Many apps include such code for legitimate ad revenue purposes, but these apps are connecting to a malicious ad network. Once the connection is made, the app will then wait until the user is trying to install another app and will pop up an extra dialog box asking for permission to install some extra code.

That code is where the bad things lie. The malicious code immediately gains control of the phone’s SMS app for both command and control and in order to sign the victim up for some premium-rate SMS services. The attack is interesting, said Wade Williamson, a senior security analyst at Palo Alto, because the attackers can use a legitimate ad network that’s already connected to a group of apps and then at any given time flip the switch and begin using it for malicious purposes.

“It’s very much like tracking a botnet. Ad networks in a lot of ways are like ready built botnets,” he said. “This gets to be a lot more insidious because of the way mobile ad networks work. Normally you need to install the ad network’s SDK in the app itself. The apps could be good or bad, but they’re reaching out to ad networks that are bad and deliver the APK in the background. It can run in memory and not have to be installed and be quite happy there.”

The new attack, of which Williamson said he’s seen about seven samples so far, is coming from Asia. Palo Alto discovered the samples hitting some special sites they have set up in Asia to attract malware samples. Williamson said that there may be other ad networks involved, but it’s not clear yet. What is clear is that attackers are continuing to get creative and evolve their techniques as security companies adjust their defenses.

“With this attack, you can print money pretty quickly. You have a pre-built botnet as a distribution engine and you can start milking users for small amounts of money that they might not notice,” Williamson said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.